Phishing Fails, SRA Woes and the OCR Hammer – Ep 489 

It’s the final countdown, folks—the last episode of the year! And OCR decided to end 2024 with a bang, handing out settlements like candy at a Christmas parade. But here’s the twist: the candy comes with a price tag, and it’s not cheap. This episode hones in on OCR’s new enforcement initiative targeting incomplete and outdated risk analyses. So, before you pop the champagne, let’s make sure your SRA isn’t a ticking compliance time bomb.

In this episode:

Phishing Fails SRA Woes and the OCR Hammer – Ep 489

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

HIPAA Say What!?!

Three big announcements in a few days.

Phishing Fails, SRA Woes and the OCR Hammer

There were three enforcement actions announced back to back. Each of them relates to the SRA enforcement initiative. We have some more specifics about why they found these cases warranted a civil money penalty. Let’s look at what we can learn from these cases because there are definitely nuggets of information we should take note of in these.

#1 – Gulf Coast Pain Consultants Big Money Headline

HHS Office for Civil Rights Imposes a $1.19 Million Penalty Against Gulf Coast Pain Consultants for HIPAA Security Rule Violations

“Systemic HIPAA Security Rule violations lead to OCR’s 6th penalty of the year”

Gulf Coast Pain Consultants d/b/a Clearway Pain Solutions Institute operating in Florida are the latest to make the news. This one is another CMP and a big one! $1,190,000!

A breach was reported because a former contractor for the company had impermissibly accessed their EHR. The really bad part of it was 34,310 patients were downloaded for a Medicare fraud scam.

“Current and former workforce can present threats to health care privacy and security—risking continuity of care and trust in our health care system,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity and compliance with the HIPAA Security Rule means being proactive in reviewing who has access to health information and responding quickly to suspected security incidents.”

OCR noted four violations of the Security Rule, including failures to:

• Conduct an accurate and thorough risk analysis
• Procedures to regularly review records of activity in information systems
• Procedures to terminate former workforce members’ access to ePHI
• Procedures for establishing and modifying workforce members’ access to information systems.

Gulf Coast Pain Consultants Notice of Proposed Determination | HHS.gov

Gulf Coast Pain Consultants Notice of Final Determination | HHS.gov

Timeline of Key Events Gulf Coast Pain

1. May 3, 2018:
   • Gulf Coast Pain Consultants retained an independent contractor to provide business consulting services.
   • The contract was set to last one year, from May 8, 2018, to April 30, 2019.
2. September 7, 2018 – February 3, 2019:
   • During this period, the contractor impermissibly accessed Gulf Coast’s electronic medical record (EMR) system on three occasions.
   • The unauthorized access involved electronic protected health information (ePHI) of approximately 34,310 individuals.
3. February 20, 2019:
   • Gulf Coast discovered the unauthorized access by the contractor.
   • It was also uncovered that the contractor generated false medical claims for services that were never rendered.
   • Approximately 6,500 false Medicare claims were linked to the contractor’s fraudulent activity.
   • The contractor was later indicted under 18 U.S.C. §1347 (Health Care Fraud) and 18 U.S.C. §1028(a)(1) (Identity Fraud) but was ultimately found not guilty.
4. April 30, 2019:
   • The contractor’s contract officially ended, but Gulf Coast had failed to terminate their access to the EMR system, allowing the unauthorized activities to occur.
5. August 9, 2019:
   • Gulf Coast Pain Consultants submitted a breach notification to the OCR, as required under HIPAA’s Breach Notification Rule, detailing the unauthorized access and potential impact on patient data.
6. August 14, 2024 (5 years later):
   • OCR issued a Notice of Proposed Determination, finding Gulf Coast responsible for multiple HIPAA violations, including failing to conduct a risk analysis and not implementing proper access controls.
7. September 23, 2024:
   • Gulf Coast waived its right to a hearing and accepted the $1.19 million civil monetary penalty proposed by OCR.

How OCR Calculated the GCPC Civil Monetary Penalty (CMP)

First they have to determine the classification of the violations. Remember the tiers are based on what they determine the level of severity to be in each violation.

1. Basis for Penalty Assessment:
   • OCR determined that Gulf Coast violated multiple provisions of the HIPAA Security Rule.
   • The violations were categorized under the Willful Neglect tier, meaning they were due to conscious disregard for compliance.
2. Factors Considered in the Calculation:
   • Nature and Extent of the Violation:
     • Gulf Coast failed to conduct a risk analysis and implement proper access controls, which are foundational requirements of the HIPAA Security Rule.
     • The breach exposed sensitive ePHI of approximately 34,310 individuals.
   • Harm Resulting from the Violation:
     • Unauthorized access led to the fraudulent use of patient data, which could have caused reputational and financial harm to affected individuals.
   • Duration of Noncompliance:
     • Gulf Coast’s noncompliance with key HIPAA requirements spanned several years, with specific incidents occurring between 2018 and 2019.
3. Penalty Per Violation:
   • OCR applied a per-violation penalty for each day Gulf Coast was found noncompliant.
   • The Willful Neglect tier allows for higher penalties, capped at $1.5 million per year per violation.
4. Aggravating Factors:
   • Gulf Coast’s failure to terminate the contractor’s access to the EMR system after the contract ended was a key aggravating factor.
   • Lack of action to address risks identified during the breach period demonstrated systemic issues.
5. Mitigating Factors:
   • OCR considered any corrective actions Gulf Coast might have taken after the breach, though these appeared limited or insufficient to fully mitigate the violations.
6. Total CMP Amount:
   • Based on these factors, OCR imposed a $1.19 million CMP, emphasizing the significance of Gulf Coast’s security failures and the preventability of the breach.

CMP Calculation Breakdown

1. HIPAA Violation Categories:
   • The violations fell into the Willful Neglect – Not Corrected tier, which has the highest penalties per violation.
   • Penalty range for this tier: $60,226 to $1.806 million per violation, per year.
2. Number of Violations Identified:
   • OCR identified four key violations of the HIPAA Security Rule:
     • Failure to conduct a Risk Analysis.
     • Failure to implement Audit Controls.
     • Failure to implement Access Termination Procedures.
     • Failure to establish Access Management Policies.
3. Timeframe of Noncompliance:
   • Gulf Coast was found noncompliant over a period of two years (2018–2019).
   • OCR calculated daily penalties for each year of noncompliance.
4. Daily Penalty Amounts:
   • OCR applied a $1,280 daily penalty (mid-range within the Willful Neglect tier).
   • The daily penalty reflects both the severity and the systemic nature of Gulf Coast’s HIPAA violations.
5. Calculation of Total CMP:
   • Risk Analysis Failure: $1,280/day x 730 days = $934,400.
   • Audit Controls Failure: $1,280/day x 730 days = $934,400.
   • Access Termination Failure: $1,280/day x 730 days = $934,400.
   • Access Management Failure: $1,280/day x 730 days = $934,400.
   • OCR consolidated overlapping violations and capped the total penalties at $1.19 million, reflecting the maximum amount assessed for the specific scope of violations.
6. Mitigating and Aggravating Factors:
   • Aggravating Factors:
     • High number of individuals affected (34,310 individuals).
     • Contractor’s fraudulent activities resulting in 6,500 false Medicare claims.
   • Mitigating Factors:
     • Gulf Coast cooperated with OCR’s investigation and did not contest the findings.
   • These factors influenced OCR’s decision to set the penalty just below the maximum allowable cap for the identified violations.

It could have been way more money but they elected not to bring down the hammer as hard as they could have done based on what we see here. It is huge but it is still not as bad as it could have been.

#2 – Children’s Hospital Colorado Gets Slightly Better Deal

Children’s Hospital Colorado Notice of Proposed Determination | HHS.gov

Multiple HIPAA violations lead to OCR’s 7th penalty of the year

CHC reported multiple email breaches due to multiple phishing attacks over several years.

“Email continues to be a very common way for cyberattackers to enter health information systems and jeopardized [sic] privacy and security,” said OCR Director Melanie Fontes Rainer. “Health care entities should identify potential risks and vulnerabilities to email accounts and train their workforce to protect health information in those accounts.”

Timeline of Key Events CHC

1. July 11, 2017:
   • A security breach occurred when a physician’s email account at CHC was compromised.
   • The compromised account contained the PHI of 3,370 children.
   • This breach occurred because the hospital’s IT help desk had previously disabled two-factor authentication (2FA) for this account and failed to reactivate it.
2. September 8, 2017:
   • CHC reported the 2017 Breach to OCR, fulfilling its HIPAA Breach Notification Rule obligations.
3. September 29, 2017:
   • OCR launched an investigation into CHC’s compliance with HIPAA Privacy and Security Rules following the 2017 reported breach.
4. June 19, 2018:
   • OCR informed CHC that its submitted risk analyses did not meet the HIPAA Security Rule requirements.
   • OCR determined that CHC’s risk analyses were neither accurate nor thorough, as they failed to account for all locations and systems that created, received, maintained, or transmitted ePHI.
5. June 20, 2018:
   • OCR provided technical assistance to CHC on the HIPAA Security Rule and the requirements for risk analysis.
6. April 29, 2019: (It looks like this was an open item from the original investigation that wasn’t documented until after the SRA technical assistance in 2018)
   • CHC informed OCR that it had not provided required HIPAA Privacy Rule training to all members of its workforce, including nursing students.
   • The lack of training impacted 6,666 workforce members, including 3,495 nursing students, during the period January 1, 2013, to December 31, 2018.
7. May 14, 2019: (OCR likely asked some question and got the answer here)
   • CHC confirmed the numbers reported earlier, admitting the full scope of noncompliance regarding workforce training.
8. April 6–13, 2020:
   • A second breach occurred, during which unauthorized third parties accessed 2 CHC workforce members’ email accounts.
   • These accounts contained the PHI of 10,840 individuals, including names, medical record numbers, dates of service, medical diagnoses, Social Security numbers, and driver’s license numbers.
   • The breach was facilitated by fraudulent multi-factor authentication (MFA) requests that two staff members accepted without verification.
9. July 27, 2020:
   • CHC reported the 2020 Breach to OCR.
10. October 9, 2020:
    • OCR initiated an investigation into CHC’s compliance with HIPAA rules following the 2020 breach report.
11. February 5, 2021:
    • CHC submitted an updated risk analysis, which OCR deemed compliant with HIPAA standards.
    • OCR determined that CHC failed to conduct an adequate risk analysis from May 1, 2017, to February 5, 2021.
12. June 23, 2023:
    • OCR officially notified CHC of the investigation findings, offering an opportunity to resolve the matter informally.
13. October 13, 2023:
    • OCR issued a Letter of Opportunity (LOO), providing CHC with a chance to present mitigating evidence or affirmative defenses.
    • CHC responded on November 8, 2023, but OCR determined that no affirmative defenses or mitigating factors justified a reduction or waiver of the proposed penalty.
14. June 11, 2024:
    • OCR issued a Notice of Proposed Determination (NPD), proposing a $548,265 CMP for the HIPAA violations.

Severity of Violations: “Reasonable Cause” Tier

1. Definition of “Reasonable Cause”:
   • According to the HIPAA regulations, “Reasonable Cause” refers to situations where a covered entity knew, or by exercising reasonable diligence would have known, that an act or omission violated the HIPAA Administrative Simplification provision, but the entity did not act with willful neglect.
2. Applicable Violations Assigned to “Reasonable Cause”:
   • Failure to Conduct Risk Analysis (May 1, 2017 – February 5, 2021):
     • OCR determined CHC’s risk analyses were insufficient under the HIPAA Security Rule.
   • Failure to Provide Workforce Training (January 1, 2013 – December 31, 2018):
     • CHC admitted that a significant portion of its workforce, including nursing students, did not receive required HIPAA Privacy Rule training.
   • Impermissible Disclosure of PHI (April 2020):
     • Unauthorized third-party access to three email accounts containing sensitive patient information resulted from user errors in MFA processes.
3. Penalty Tier Justification:
   • The “Reasonable Cause” tier was used because CHC’s violations, while significant, were not determined to have been caused by willful neglect, i.e., a conscious or reckless disregard for compliance.
4. Impact on CMP Calculation:
   • The “Reasonable Cause” tier capped penalties per violation at $100,000 annually.
   • Total penalties across the violations amounted to $548,265, reflecting a mid-tier assessment of culpability.

How They Got To The Penalties Amount – CHC

1. Failure to Conduct a Risk Analysis:
   • Noncompliance from May 1, 2017, to February 5, 2021 = CMP: $348,265.
2. Failure to Train Workforce:
   • HIPAA Privacy Rule training was not provided to 6,666 workforce members by November 30, 2018 = CMP: $100,000.
3. Impermissible Disclosure of PHI:
   • PHI for 10,840 individuals was disclosed during the 2020 Breach = CMP: $100,000.

#3 – Hot off the presses – we have one more!!!

Inmediata Health Group, LLC Resolution Agreement and Corrective Action Plan | HHS.gov

$250,000 settlement resolves longstanding HIPAA Security Rule failures

“Health care entities must ensure that they are not leaving patient health information accessible online to anyone with an internet connection,” said OCR Director Melanie Fontes Rainer. “Effective cybersecurity means being proactive and vigilant in searching for risks and vulnerabilities to health data and preventing unauthorized access to patient health information.”

On November 16, 2018, OCR received a complaint alleging that ePHI of patients belonging to Inmediata was available online to unauthorized individuals. OCR’s investigation substantiated the allegations and determined that from May 16, 2016 to January 23, 2019, the ePHI of 1,565,338 individuals’ was made publicly available online and was indexed and cached by search engines.

That means they had violations for impermissible disclosures right off the bat. Then, the investigation found “multiple potential HIPAA Security Rule violations including: failures by Inmediata to conduct a compliant risk analysis to determine the potential risks and vulnerabilities to ePHI in its systems; and to monitor and review its health information systems’ activity”.

Inmediata paid $250,000 for a resolution agreement amount. They didn’t enforce a CAP because Inmediata had already entered into one when they settled a separate case with 33 states over the breach. That settlement was for $1.4m divided across all the states.

It has a very detailed CAP with a 5 year period of annual assessments of this compliance program by a third party assessor. That report must be sent to the IN AG for review. Looks like the one that OCR puts together is nothing compared to this one. No wonder OCR was happy to take their cut of the cash and move on to another case.

It’s About the SRA, Folks

If there’s one takeaway from these OCR cases, it’s that Security Risk Analysis (SRA) isn’t just a check-the-box task or something to hand off entirely to your IT department. An SRA requires a comprehensive and organizational approach. It’s about understanding where your risks lie, across every nook and cranny of your operations—not just your technology systems. IT might handle the technical side, but they can’t identify gaps in policies, workforce practices, or administrative safeguards alone.

OCR has been crystal clear: an SRA that fails to consider all locations and systems that create, receive, maintain, or transmit ePHI is not compliant. And if your risk analysis is outdated, incomplete, or focused solely on IT infrastructure, you’re setting yourself up for trouble. This is why OCR created a video specifically on how to do an SRA the right way—not the way we’ve seen so many organizations do it in the past. Spoiler alert: it’s not just a job for your IT team.

Take the time to watch OCR’s video on SRAs and really dig into what’s required. A proper SRA isn’t just about avoiding fines—it’s about protecting your patients, your organization, and your reputation. So, carve out time to get your SRA right. After all, it’s better to spend hours now understanding the nuances than years explaining your breaches to OCR later.

OCR Webinar: The HIPAA Security Rule Risk Analysis Requirement

If OCR is Santa, your risk analysis better be the cookies and milk—because showing up unprepared lands you on the naughty (and expensive) list. One thing is crystal clear: OCR is on a mission to make sure everyone understands the importance of a comprehensive and thorough risk analysis. Their latest enforcement spree is a not-so-subtle reminder that shortcuts and half-baked compliance measures won’t cut it. So, as you finalize those New Year’s resolutions, add “complete SRA overhaul” to the list—right next to “drink more water” and “actually stick to my budget.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.